Data Protection Act

Data Covered by the Act

Not all computer data is covered by the act. Only personal data which can be associated with individuals is subject to the Data Protection Act.

Here are some examples of the information stored about an individual

• Employment Records
• Credit Records
• Examination Results

Excepted from the act are

• Government Use
• Publicly-available data e.g. Voter Rolls
• Club membership details for mail-shot purposes only

What is not exempted is very wide. One university specifies that keeping old emails constitutes a breach, since most email tools allow you to search old mail for someone's address, or all message by that person, or to search files for their name. Bibliographies - keeping track of papers and books published by an individual to make it easier for you to quote references is also covered.

The Principles of the Data Protection Act of 1984

For full information about proposed changes in the law see: http://www.open.gov.uk/dpr/dprhome.htm

There are eight Principles shown below.

1. The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.

2. Personal data shall be held only for one or more specified and lawful purposes.

3. Data held for any purpose or purposes shall not be used or disclosed in any manner incompatible with that purpose or those purposes.

4. Personal Data held for any purpose or purposes shall be adequate, relevant, and not excessive in relation to that purpose or those purposes.

5. Personal data shall be accurate and, where necessary, kept up to date.

6. Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

7. An individual shall be entitled:

• at reasonable intervals and without undue delay or expense.
  • to be informed by any Data User whether he holds personal data of which that individual is the subject, and
  • to access to any such data held by a Data User, and
• where appropriate, to have such data corrected or erased.

8. Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure, or destruction of, personal data and against accidental loss or destruction of personal data.

The first seven principles apply to personal data held by data users. The eighth principle applies both to data users and to persons providing a computer bureau service. (Committee of Vice-Chancellors and Principals, "Data Protection Act 1984", London, 1987)

Note the requirement to take appropriate security measures. This means that if you keep any data, you have an obligation to protect it logically - by use of encryption, passwords and IDs, and physically, by restricting access to computer equipment. Two key areas to protect against are breaches of confidentiality (eg "this person is an alcoholic") and theft of data for commercial purposes (taking your designs with you when you leave one job for another)

An Example

This is a typical entry, available online from the Data Protection Registrar by Internet of one part of a local company's storage of information for personnel records. you can search for a past employer's registration details quite easily. Napier has seventeen such areas of registration.

PURPOSE 1

Purpose for which data are to be held or used:

P001 Personnel/Employee Administration

Further details of purpose:

The administration of prospective, current and past employees, including, where applicable, self employed or contract personnel, secondees, temporary staff or voluntary workers.

Typical activities

Typical activities are: recruitment; recording of working time; administration and payment of wages, salaries, pensions and other benefits with deductions; employee assessment and training; negotiation or communication with employees; manpower and career planning; compliance with company policy and/or legislation in relation to health, safety and other employment matters; analysis for management purposes and statutory returns.

Description of personal data (DATA SUBJECT):

• S001 Current, past, potential employees, trainees, voluntary workers
• S005 Current suppliers of goods or services (direct or indirect)
• S007 Current account holders
• S009 Current, past partners, directors, other senior officers
• S035 Current vehicle keepers
• S039 Current, past relatives, dependants, friends, neighbours, referees, associates, contacts of any of those described above

Description of personal data (DATA CLASS):

• C001 Personal identifiers
• C002 Financial identifiers
• C003 Identifiers issued by public bodies
• C011 Personal details
• C023 Details of other family household members
• C024 Other social contacts
• C031 Accommodation or housing
• C034 Travel movement details
• C035 Leisure activities interests
• C087 Pension details

Sources and disclosures directly associated with data subjects:

• D101 SD The data subjects themselves
• D104 SD Employers - past, current or prospective

Sources and disclosures of organisations or individuals (General description):

• D301 SD Inland revenue
• D306 SD Department of employment
• D341 D Police forces
• D362 D Banks
• D363 D Building societies
• D364 SD Insurance companies

Overseas transfers - Specified none:

• T000 None

Computer Misuse Act

There are three criminal offences created by the Computer Misuse Act 1990

Unauthorised access to computer material

This makes "hacking" illegal, specifically:

• a "remote" hacker, working from a distance, who attempts to gain unauthorised access to any program or data held in any computer;
• employees or students or similar who have knowingly exceed their limited authorisation to use a computer.

This includes

• using another person's ID & Password to get access to a computer, hardware (eg printers) or data
• altering, moving, deleting data
• copying or outputting programs or data
• trojan horses to obtain passwords

You would be guilty of an offence only if you use a computer to gain unauthorised access and you know this to be the case at the time. The penalty is up to six months in prison.

Unauthorised access to a computer system with intent…

"Unauthorised access to a computer system with intent to commit or facilitate the commission of a further offence" This is where you commit the above offence, with intent to commit a further offence. e.g. using access to commit theft e.g. adding "free" print credits, using someone else's credit card, re-directing funds to your own bank account.

The penalty for persistent offences is up to five years in prison.

Unauthorised modification of computer material

This offence includes the deliberate erasure or corruption of programs or data, including:

• introduction of viruses and worms,
• modifying or destroying another user's file or system files, etc.

It could conceivably be stretched to malicious use of time-limited software - eg a program that de-installs itself, and all data created using it, after 30 days.

The penalty is up to six months in prison